b"January 2007\nReport No. 07-004\n\n\nInteragency Agreement With the\nGeneral Services Administration for the\nInfrastructure Services Contract\n\n\n\n\n           AUDIT REPORT\n    Material has been redacted from this\n   document to protect personal privacy,\n   confidential or privileged information.\n\x0c                                                                                             Report No. 07-004\n                                                                                                 January 2007\n\n\n                                    Interagency Agreement With the General Services\n                                    Administration for the Infrastructure Services Contract\n                                    Results of Audit\nBackground and Purpose              The ISC has substantially achieved the Corporation\xe2\x80\x99s desired results, as\nof Audit                            presented in the Board Case. Most notably, the ISC establishes a single\n                                    point of accountability and responsibility for IT infrastructure support,\nIn March 2004, the FDIC\n                                    enabling DIT to better manage that aspect of its operations. Also, the FDIC\nentered into an interagency\nagreement with the General          has established mechanisms to promote improved infrastructure\nServices Administration (GSA)       performance and service, and the Corporation has rated the contractor\xe2\x80\x99s\nfor information technology (IT)     mid-term performance as excellent in that regard.\nsupport services. Under GSA\xe2\x80\x99s\nFederal Systems Integration         Although DIT\xe2\x80\x99s analyses showed there had been savings on labor and\nManagement Center (FEDSIM)          procurement, DIT needed to improve its methodology for measuring ISC\nMillennia contract, GSA issued      labor costs and the savings resulting from implementing this contracting\nthe Infrastructure Services         method. Such improvements would provide DIT with enhanced\nContract (ISC) to SRA               performance evaluation and decision-making ability.\nInternational, Inc. (SRA) for IT\nsupport services for the\n                                    The combination of controls established by the FDIC and those assigned to\nCorporation. According to the\nBoard Case approved by the          FEDSIM through the interagency agreement were adequate to ensure that\nFDIC\xe2\x80\x99s Board of Directors, the      work under the ISC complied with the contract terms and conditions. Also,\ncontract consolidated 37 FDIC       DIT and FEDSIM had established controls over labor costs that focused on\ninfrastructure support contracts.   ensuring total spending on each ISC task area was within pre-approved\nThe ISC\xe2\x80\x99s approved total value,     spending plans. We concluded, however, that the Corporation should\nincluding four 1-year contract      consider providing additional oversight to decisions regarding significant\noption periods, is $357 million.    contract modifications involving a reallocation of contract funding.\n                                    Additionally, the Corporation should consider employing additional risk-\nFEDSIM is to provide                based, cost-effective controls to monitor the hours worked by highly-paid\nacquisition support for the ISC,    staff, labor rates being charged, and the mix of labor categories being billed.\nwhile the FDIC\xe2\x80\x99s Division of\n                                    Employing additional cost-effective, risk-based controls in this area could\nInformation Technology (DIT)\nhas assumed responsibility for      help the Corporation avoid incurring unreasonable costs.\ncontract management and\noversight.                          Recommendations and Management Response\n\nOur audit objective was to          The report makes three recommendations for DIT to strengthen its\ndetermine whether (1) controls      monitoring and oversight by developing a more structured methodology for\nare adequate to ensure that work    evaluating ISC\xe2\x80\x99s performance; strengthening the oversight process for\nperformed under the ISC             proposed contract modifications; and establishing additional cost-effective,\ncomplies with the contract\xe2\x80\x99s        risk-based controls to ensure the reasonableness of labor costs. DIT\nterms and conditions and (2) this   management concurred with the recommendations and will document the\ncontracting method has produced\n                                    activities to provide a more structured methodology for evaluating ISC\xe2\x80\x99s\nthe intended results.\n                                    performance; establish a process for presenting and obtaining senior\n                                    management approval for contract line item allocations; and develop a\nTo view the full report, go to      process for conducting periodic program-wide reviews to assess the\nwww.fdicig.gov/2007reports.asp\n                                    reasonableness of the ISC staffing and management plans. Management\xe2\x80\x99s\n                                    planned actions are responsive to our recommendations.\n\x0c                              TABLE OF CONTENTS\nBACKGROUND                                                               1\n\nRESULTS OF AUDIT                                                         5\n\nACHIEVEMENT OF DESIRED RESULTS                                           5\n\nMEASURING COSTS AND SAVINGS                                              7\n Projected Savings in the ISC Board Case                                 7\n FAR Requirements for Cost Control                                       7\n Earned Value Management                                                 8\n DIT Cost Measurement and Savings Analysis                               8\n Recommendation                                                         10\n\nINTERNAL CONTROLS                                                       11\n  Internal Control Standards and FAR Requirements                       11\n  Consolidated Contracting Risks and Controls                           11\n  Contract Funding                                                      12\n  Controls Over the Reasonableness of Labor Charges                     16\n  Recommendations                                                       21\n\nCORPORATE COMMENTS AND OIG EVALUATION                                   22\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                           23\n\nAPPENDIX II: INTENDED RESULTS AND MEASUREMENT CRITERIA                  25\n\nAPPENDIX III: OIG ANALYSIS OF SAVINGS ASSOCIATED WITH SRA               27\n              CONTRACTING ACTIONS\n\nAPPENDIX IV: CORPORATION COMMENTS                                       28\n\nAPPENDIX V: MANAGEMENT RESPONSE TO RECOMMENDATIONS                      30\n\nTABLES:\nTable 1: Funding Allocation for SRA                                      2\nTable 2: Summary of Achievement of Desired Results                       6\nTable 3: CLIN Impact of Modification 05                                 13\nTable 4: DIT Control Points Over ISC Funding                            15\nTable 5: Comparison of Contract Ceiling Rates to Hourly Rates Paid      18\nTable 6: Rates for Highly-Compensated Employees                         19\nTable 7: Summary of Charges that Exceeded Ceiling Rates for July 2005   20\n\x0c     Federal Deposit Insurance Corporation                                                             Office of Audits\n    3501 Fairfax Drive, Arlington, VA 22226                                               Office of Inspector General\n\n\nDATE:                                   January 10, 2007\n\nMEMORANDUM TO:                          Michael E. Bartell\n                                        Chief Information Officer and Director\n                                        Division of Information Technology\n\nFROM:                                   Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]\n                                        Assistant Inspector General for Audits\n\nSUBJECT:                                Interagency Agreement With the General Services Administration\n                                        for the Infrastructure Services Contract\n                                        (Report No. 07-004)\n\n\nThis report presents the results of the FDIC Office of Inspector General\xe2\x80\x99s (OIG) audit of the\nDivision of Information Technology\xe2\x80\x99s (DIT) efforts to provide consolidated information\ntechnology (IT) infrastructure support for the Corporation. The consolidation was\naccomplished under an Interagency Agreement with the General Services Administration\n(GSA), through which a task order was issued to SRA International, Inc. (SRA) under GSA\xe2\x80\x99s\nFederal Systems Integration Management Center\xe2\x80\x99s (FEDSIM) Millennia1 contract. The\nobjective of the audit was to determine whether controls are adequate to ensure that work\nperformed under the SRA task order, the Infrastructure Services Contract (ISC), complies\nwith contract terms and conditions and that this contracting method has produced the desired\nresults. Details on our objective, scope, and methodology are presented in Appendix I.\n\nBACKGROUND\n\nIn March 2004, the FDIC entered into an interagency agreement (Purchase Order 04-00125-\nT-DY) with FEDSIM to provide assistance in obtaining IT support services. Through its\nMillennia contract, FEDSIM awarded a performance-based contract for managing the FDIC\xe2\x80\x99s\ninfrastructure facilities, hardware, software, and systems, including, but not limited to, help desk\noperations, network operations, data center support, and security operations. DIT\xe2\x80\x99s overall\nobjectives in entering into the agreement were to have a single point of accountability to produce\nan efficient and cost-effective IT infrastructure and to align its infrastructure management and\n\n\n\n\n1\n The Millennia contract is a government-wide acquisition contract program consisting of nine indefinite\ndelivery/indefinite quantity contracts accessible to all federal government agencies. Millennia contractors provide a\nbroad range of IT support. SRA participates as one of the nine Millennia contactors under Contract\nNo. GS00T99ALD0211.\n\x0csupport strategy with industry best practices, including the use of a performance-based\ncontracting structure. For this effort, on June 28, 2004, the FDIC\xe2\x80\x99s Board of Directors approved\nexpenditure authority for $357 million for consolidating no less than 362 existing contracts and\nfor obtaining hardware and software maintenance and software and equipment. The Board\napproved an additional $5 million to noncompetitively extend the periods of performance of\nselected infrastructure support contracts that were already in use, thus allowing these contracts to\nbe transitioned to the Millennia contractor chosen by FEDSIM.\n\nInteragency Agreement                                                    The FDIC\xe2\x80\x99s interagency agreement with\n                                                                         FEDSIM gives FEDSIM full responsibility\nAccording to the interagency agreement, FEDSIM is to                     for:\nprovide acquisition and project management support to\n                                                                         \xe2\x80\xa2   Awarding and administering all\nensure that current and planned FDIC IT requirements                         contracts/delivery orders/task orders\nare met. Under the agreement, FEDSIM is responsible                          issued to contractors.\nfor overseeing the planning and implementation of a                      \xe2\x80\xa2   Directing and monitoring the\nsolicitation process, proposal evaluation and award,                         contractor\xe2\x80\x99s work, providing technical\ncontract administration, quality assurance, process                          assistance and advice to the contractor,\n                                                                             attending status meetings, and\nimprovement, and IT tools procurements. FEDSIM                               conducting detailed reviews of all\nrecommended that the FDIC use the Millennia contract.                        deliverables.\n\nInfrastructure Services Contract                                         The terms also indicated that FEDSIM may\n                                                                         require client assistance and participation for\n                                                                         these activities.\nOn September 20, 2004, on behalf of the FDIC,\nFEDSIM issued the ISC3 to SRA. The ISC was\nawarded in accordance with the Federal Acquisition Regulation (FAR) under GSA\xe2\x80\x99s Millennia\ncontract for the purpose of consolidating support provided under numerous FDIC IT\ninfrastructure contracts. Funding was allocated as shown in Table 1.\n\nTable 1: Funding Allocation for SRA\n       Interagency Agreement                   FDIC Approval Date                        Amount\n    Initial Fundinga                                  03/02/04                                  $300,000\n    Additional Fundingb                               07/16/04                                $3,000,000\n    Additional Fundingc                               01/13/05                              $341,541,035\n           Total                                                                            $344,841,035\nSource: FEDSIM Interagency Agreement/Amendment.\na\n  FEDSIM\xe2\x80\x99s initial fee included services for all phases of the acquisition process, including presolicitation planning\nthrough contract award; post-award contract administration; and the issuance of delivery orders under the contract.\nb\n  FEDSIM was also to receive a processing fee equal to one-half of 1 percent of all payments made to FEDSIM up to\na maximum of $100,000 per payment. At the FDIC\xe2\x80\x99s request, FEDSIM agreed to limit the transaction fee to\n$100,000 for the life of the ISC with the understanding that FEDSIM will continue to manage the ISC for the FDIC\nto contract completion and that FEDSIM shall receive revenue from the FDIC for these services.\nc\n  The total task order ceiling is based on funding information amended on January 13, 2005.\n\n\n\n2\n  The Board Case for the ISC identified 9 labor contracts to be consolidated and 28 \xe2\x80\x9coptional contracts\xe2\x80\x9d to be\nevaluated for consolidation, for a total of 37 contracts. Ultimately, more than 37 contracts were consolidated.\n3\n  The ISC was issued by FEDSIM as Task Order GST0004AJM061.\n\n                                                          2\n\x0cFEDSIM Billings to the FDIC\n\nFEDSIM bills the FDIC monthly for the actual labor and travel costs associated with providing\nacquisition and project management support to ensure that current and planned FDIC IT\nrequirements are met. FEDSIM charges include costs for planning and implementing a\nsolicitation process, proposal evaluation and award, contract administration, quality assurance,\nprocess improvement, and IT tools procurement. For the 12-month period ended December 31,\n2005, the FDIC paid FEDSIM $281,492 for its services.\n\nSRA Billing to FEDSIM\n\nUnder the ISC, SRA is reimbursed monthly for its costs (actual salaries and pass-through costs in\naddition to an overhead rate). SRA\xe2\x80\x99s invoice is submitted to FEDSIM for payment and is\nreviewed by both FEDSIM and the FDIC. The labor portion of the ISC is a cost-plus-award-fee\ntask order for a 5-year period of performance (1-year base period and four optional 1-year\nextensions through September 20, 2009.) The FDIC chose a 5-year-performance period to\nprovide operational continuity and encourage the stability of contractor personnel. SRA\xe2\x80\x99s\nmonthly invoices are paid by FEDSIM with funds allocated by the FDIC. Costs associated with\nthe ISC consist of a base amount capped at the inception of the ISC and detailed in a spending\nplan.\n\nSRA Award Fee\n\nSRA is also paid an award fee based on meeting specific performance standards. The award fee\namount is based on a judgmental evaluation by the government and is intended to provide\nsufficient motivation for excellence in contract performance. The maximum award fee for each\n6-month evaluation period over the 5-year term of the contract is set at about $1 million. To\nencourage improved contractor performance, the ISC provides that any portion of the unearned\naward fee may be rolled into the next evaluation period for the contract. An award fee of\n$1,015,382 was paid to SRA for the 6-month evaluation period ended September 30, 2005. SRA\nbillings for services for that period totaled $17,375,670. SRA was also paid $62,619 of the\n$70,977 rolled over from award period 1 for a total award of $1,078,001.\n\nContract Oversight Roles and Responsibilities\n\nThe FDIC has delegated to FEDSIM the authority to act as the Contracting Officer with overall\nresponsibility for contract management, while DIT is assigned certain contract oversight\nresponsibilities. To provide oversight, DIT established an ISC Oversight Committee, a Program\nLead/Program Management Officer, a Quality Assurance Coordinator, Technical Monitors, and\nSubject Matter Experts. The duties of each are defined in the September 5, 2005, Technical\nMonitor and Subject Matter Expert Designations, Duties, and Responsibilities.\n\nThe ISC Oversight Committee consists of the FDIC Chief Information Officer (CIO) and Deputy\nCIO. This committee is responsible for approving or obtaining approval for all contract\nmodifications and all reallocations of funds. The committee also addresses or resolves issues\n\n\n                                                3\n\x0cthat cannot be resolved by the project management team, require business concurrence, affect\ncorporate policies, and affect organizational structure.\n\nThe Program Lead is responsible for the overall management/oversight of the ISC program. The\nLead assures that ISC project goals are in line with the corporate strategy and performs ISC\nProgram Management Officer functions and strategic planning. Additionally, the Lead serves as\na voting member of the Award Fee Evaluation Board (AFEB) and makes decisions regarding\nISC issues.\n\nThe Program Management Officer (PMO) serves as the Technical Monitor for the ISC Program\nManagement Task Area. The PMO is responsible for the overall coordination of the ISC\nOversight Team and acts as liaison to FEDSIM regarding task order planning, oversight,\nmodifications, and issues. The PMO also serves as the Lead Point of Contact to the contractor\nand facilitates problem resolution and reviews and approves contract deliverables. The PMO\nsubmits award fee evaluation reports and provides information to the Oversight Committee, DIT\nmanagement, FEDSIM Project Team, and AFEB. Further, the PMO conducts duties as an AFEB\nChairperson and voting member.\n\nThe Quality Assurance Coordinator coordinates information and data collection with Quality\nAssurance Subject Matter Experts and Technical Monitors. The Coordinator tracks\nperformance, reviews and approves contract deliverables, submits award fee evaluation reports,\nand provides information to the FDIC\xe2\x80\x99s ISC PMO and AFEB. The Coordinator also serves as a\nvoting member of the AFEB.\n\nTechnical Monitors, with input from the Subject Matter Experts, are responsible for:\n\n   \xe2\x80\xa2   coordinating with the Contractor Task Leads,\n   \xe2\x80\xa2   monitoring day-to-day performance,\n   \xe2\x80\xa2   reviewing and approving contract deliverables,\n   \xe2\x80\xa2   reviewing monthly invoices,\n   \xe2\x80\xa2   submitting award fee evaluation reports (mid-term and final), and\n   \xe2\x80\xa2   providing information to program management and the AFEB, as requested.\n\nThe Technical Monitors also may serve as rotating voting members or non-voting members of\nthe AFEB and may approve, through delegated authority, expenditures for IT goods costing less\nthan $25,000.\n\nAdditionally, the FDIC Division of Administration\xe2\x80\x99s (DOA) Acquisition Services Branch (ASB)\nis to observe the process on infrastructure-specific performance contracting with the expectation\nthat, in the event the interagency agreement with the FEDSIM is not renewed, ASB will be able\nto assume direct responsibility for the solicitation and administration of the successor contract.\nTo prepare for future events and to ensure the FDIC\xe2\x80\x99s contracting interests are protected, ASB\nhas assigned a Principal Contract Specialist to provide oversight and advice on matters\npertaining to the interagency agreement, ISC, task order, and modifications.\n\n\n\n                                                4\n\x0cRESULTS OF AUDIT\n\nThe ISC, as of September 2005, has substantially achieved the Corporation\xe2\x80\x99s desired results, as\npresented in the Board Case. For example, a single point of accountability and responsibility\nexists for IT infrastructure support, enabling DIT to better manage that aspect of its operations.\nIn addition, the FDIC has established mechanisms to promote improved infrastructure\nperformance and service, and the Corporation has rated the contractor\xe2\x80\x99s mid-term performance\nas excellent in that regard (Achievement of Desired Results).\n\nAlthough DIT\xe2\x80\x99s analyses showed there had been savings on labor and procurement, DIT needed\nto improve its methodology for measuring ISC labor costs and the savings resulting from\nimplementing this contracting method. Such improvements would provide DIT with enhanced\nperformance evaluation and decision-making ability (Measuring Costs and Savings).\n\nThe combination of controls established by FDIC and those assigned to FEDSIM through the\ninteragency agreement were adequate to ensure that work under the ISC complied with the\ncontract terms and conditions. Also, DIT and FEDSIM had established controls over labor costs\nthat focused on ensuring total spending on each ISC task area was within pre-approved spending\nplans. We concluded, however, that the Corporation should consider additional oversight for\ndecisions on significant contract modifications involving reallocation of contract funding to\nensure funds are used for their intended purposes. Additionally, the Corporation should consider\nemploying additional risk-based, cost-effective controls to monitor the hours worked by\nhighly-paid staff, labor rates being charged, and the mix of labor categories being billed.\nEmploying additional risk-based, cost-effective controls in this area could help the Corporation\navoid incurring unreasonable costs (Internal Controls).\n\nACHIEVEMENT OF DESIRED RESULTS\n\nAs summarized in Table 2, on the next page, the ISC had substantially achieved the\nCorporation\xe2\x80\x99s desired results, as presented in the Board Case. With regard to cost reduction,\nDIT\xe2\x80\x99s analyses showed there had been savings on labor and procurement. However, DIT needed\nto improve its methodology for measuring ISC labor costs and the savings resulting from\nimplementing this contracting method. We discuss DIT\xe2\x80\x99s analysis of cost savings in detail in the\nnext section of this report.\n\n\n\n\n                                                 5\n\x0cTable 2: Summary of Achievement of Desired Results\n Intended Result                          Result Achieved\n\n 1. Single point of accountability and    Yes. SRA was accountable for all aspects of IT infrastructure support, thus\n responsibility for contractor            facilitating DIT\xe2\x80\x99s ability to manage ISC as a performance-based contract.\n performance.\n                                          FEDSIM was accountable for providing acquisition and project\n                                          management support.\n 2. Results-based contract                Yes. The FDIC contracted for results-based contract administration. The\n administration, including                FDIC has assumed the FEDSIM\xe2\x80\x99s responsibility for technical monitoring\n performance metrics.                     and subject matter expertise, thereby reducing the FEDSIM\xe2\x80\x99s hourly\n                                          oversight charges.\n 3. Improved infrastructure               Yes. SRA was awarded for improved infrastructure performance and\n performance and service.                 service through semiannual award fee evaluations conducted jointly by the\n                                          FDIC and FEDSIM. The most recent mid-term evaluation, dated\n                                          August 17, 2006, credited SRA with identifying best practices and process\n                                          improvements and making strategic recommendations. It also noted that\n                                          SRA had improved system stability and decreased down time while being\n                                          proactive in developing and implementing solutions. Further, the\n                                          evaluation noted that SRA\xe2\x80\x99s Help Desk performance, according to an\n                                          independent assessment, continued to be higher than the industry average.\n 4. A long-term relationship that         Yes. The contracting period with renewal options is for 5 years. The award\n shares risk, motivates the contractor,   fee program serves to motivate contractor performance. For the mid-term\n and identifies and implements            rating period, April 1, 2006 through June 2006, the FDIC rated SRA\xe2\x80\x99s\n industry best practices.                 overall performance as \xe2\x80\x9cExcellent.\xe2\x80\x9d\n 5. Continuing technology                 Yes. SRA\xe2\x80\x99s overall performance was rated above average with no serious\n refreshment and innovation in            nonconformance, delays, or cost issues. Innovation was rated as improving\n response to contract incentives.         during the first year of the 5-year contract.\n 6. Reduced contractor turnover and       Yes. Prior to the ISC, multiple contracts were issued predominately as\n longer-term retention of                 short-term (1 base year, 2 option years) contracts that terminated at various\n knowledgeable contractor staff.          times. DIT expects there will be individual turnover in areas as SRA strives\n                                          to find the best fit of talent to meet the FDIC\xe2\x80\x99s requirements and as\n                                          technology progresses.\n 7. Cost reduction resulting from         Partially. DIT prepared a cost-savings analysis for equipment and an\n increased purchasing power and           analysis of contract labor. However, we could not verify DIT\xe2\x80\x99s claimed\n elimination of inefficiencies in         cost savings. DIT planned to prepare a cost-savings analysis to show\n overlapping contract scopes.             projected staff reductions for DIT and ASB associated with managing the\n                                          consolidated Millennia contract compared to managing the 36 individual\n                                          contracts.\nSource: Board Case and OIG Analysis.\n\n\n\n The intended results expected to be derived from using the GSA Millennia contract, the\n methodology DIT uses to measure those results, and whether the results have been achieved are\n detailed in Appendix II.\n\n\n\n\n                                                            6\n\x0cMEASURING COSTS AND SAVINGS\n\nAlthough DIT\xe2\x80\x99s analyses showed there have been savings on labor and procurements, DIT\nneeded to improve its methodology for measuring ISC costs and the savings resulting from\nimplementing this contracting approach. The methodology for cost analyses needed to establish:\na baseline that could be adjusted for changing requirements, an analysis of costs attributable to\noverseeing the ISC compared to the costs for the prior contracts, and an analysis of procurement\nsavings solely attributable to the ISC. Such improvements would provide DIT with enhanced\nperformance evaluation and decision-making ability.\n\nProjected Savings in the ISC Board Case\n\nIn the Board Case for Consolidated Infrastructure Contract Expenditure Authority Request,\ndated May 24, 2004, DIT reported that consolidation of the IT infrastructure contracts into the\nsingle ISC was projected to save approximately $1.6 million annually or $8.5 million on a net-\npresent-value basis over the 5-year life of the contract. Savings were categorized as reduced\ncontract expenses and FDIC staffing costs.\n\n  y   Reduced Contract Expenses \xe2\x80\x93 DIT estimated that vendor efficiencies resulting from\n      contract consolidation would result in a reduction in direct infrastructure contract expenses\n      of approximately $1.3 million annually, or at least $6.7 million on a net-present-value\n      basis over the 5-year life of the contract. These savings were based on the projected\n      contractor staffing reductions made possible by contract consolidation.\n\n  y   Reduced FDIC Staffing Costs \xe2\x80\x93 DIT projected staff savings for DIT and ASB of about 2\n      to 5 staff years annually due to the reduced workload associated with contract solicitation\n      and contract administration/oversight in a single-contract environment. DIT estimated\n      that this would result in a reduction in salary and benefits expenses of approximately\n      $365,000 annually, or $1.8 million on a net-present-value basis over the 5-year life of the\n      contract.\n\nOther potential savings were included in the Board Case for the contract. Specifically, DIT\nnoted that the contract consolidation effort applied only to existing contracted work (as of\nMay 24, 2004), not work performed by FDIC staff. At the time the Board Case was presented,\nDIT was analyzing the infrastructure work being performed by FDIC staff to decide whether to\noutsource some of the infrastructure functions.\n\nFAR Requirements for Cost Control\n\nFEDSIM awarded the Millennia contract under the FAR, which specifies in sections 16.301-3\nand 16-405-2(c) that cost-reimbursement-type contracts, including cost-plus-award-fee contracts,\nmay be used only when appropriate government surveillance will provide reasonable assurance\nthat efficient methods and effective cost controls are used. Additionally, FAR section 16.401\nemphasizes that incentive contracts should discourage contractor inefficiency and waste.\n\n\n\n\n                                                7\n\x0cFurther, FAR section 34.201 states, in general, that an Earned Value Management System\n(EVMS), as described below, is required for major acquisitions for development. The\ngovernment may also require an EVMS for other acquisitions, in accordance with agency\nprocedures.\n\nEarned Value Management\n\nEarned Value Management (EVM) is a principled approach to establishing and managing\nacquisition and project performance metrics. It is a method of determining a project\xe2\x80\x99s status by\ncomparing the time-phased value of work planned to the value of the work achieved and actual\ncosts expended. The key to an effective EVMS is the ability to allocate the budgeted cost of\nwork to be performed over the scheduled period of performance for a cost account that, in turn,\nis directly related to the contract work breakdown structure. EVM integrates the evaluation of\nthe project scope of work, schedule, and budget to optimize project planning and control. EVM\nis one method to monitor a project\xe2\x80\x99s progress in terms of cost and schedule, which provides\ninsights into performance.\n\nOMB issued Memorandum M-05-23, Improving Information Technology (IT) Project Planning\nand Execution, dated August 4, 2005, which required most federal agencies to use an EVMS for\nall new major IT projects, ongoing major IT developmental projects, and high-risk projects to\nbetter ensure improved execution and performance as well as promote more effective oversight.\nThe OMB memorandum required agencies to develop EVMS policies no later than\nDecember 31, 2005. The memorandum also offered information on resources and training to\nassist in developing and implementing EVMS policies. We confirmed that the FDIC is not\nrequired to follow the OMB memorandum. However, EVM is an effective way to manage and\nassess project performance.\n\nDIT Cost Measurement and Savings Analysis\n\nAt the time we began our audit, DIT had not performed an analysis of ISC costs and cost\nsavings. While mindful of measuring the benefits of the ISC, DIT stated that the contract was\njust over 1 year old and that an early analysis would not be completely reliable because\ncontractor staffing and task requirements needed to stabilize. However, during the audit, DIT\nand SRA prepared analyses for the labor and procurement costs for the first year of the contract.\nDIT had also planned to perform an analysis of labor costs incurred for oversight and\nprocurement personnel before and after the consolidation of the 36 contracts. DIT prepared two\nanalyses to determine the savings derived from the first year of the ISC. The analyses showed\nthat without considering anticipated reductions in FDIC staffing, first-year cost savings exceeded\nprojected annual savings of $1.3 million, as set forth in the Board Case, for labor expenses and\npurchases. A discussion of DIT\xe2\x80\x99s analysis and methodology follows.\n\nAnalysis of First-Year Labor Costs\n\nDIT prepared an analysis to compare the ISC\xe2\x80\x99s 2005 actual labor costs with the applicable\nportion of DIT\xe2\x80\x99s 2004 infrastructure operations budget to determine whether the contract had\nachieved the $1.3 million in projected annual savings set forth in the Board Case. According to\n\n                                                8\n\x0cthe analysis, subsequent to budget formulation, DIT estimated there would be $2.6 million in\nadditional labor costs for outsourcing various infrastructure activities. In addition, DIT incurred\nactual costs of approximately $1.0 million on new or special items such as establishing a new\ndisaster recovery facility in Richmond, Virginia; support for the Hurricane Katrina call center;\nand the initiation of FDICconnect Help Desk activities. Therefore, DIT adjusted the baseline for\ncomparing actual 2005 labor costs to the 2004 infrastructure operations budget from\n$23.3 million to about $27.0 million.\n\nWhen DIT compared the adjusted baseline to the actual labor expenses for 2005, DIT determined\nthat the estimated savings totaled $1.8 million (adjusted baseline of $27.0 million less actual\nexpenses of $25.2 million). DIT\xe2\x80\x99s estimate of actual labor cost savings exceeds the projected\nsavings in the Board Case by about $500,000 ($1.8 million less $1.3 million). However, DIT did\nnot allocate the $3.6 million in estimated costs for the unanticipated activities to specific task\nareas in its budget or track the actual costs of those activities against those task areas. As a\nresult, DIT\xe2\x80\x99s analysis did not allow for a full comparison of budgeted and actual costs. Further,\nthe precise nature and cost of activities within specific task areas was not readily apparent. We\nwere thus unable to validate DIT\xe2\x80\x99s estimated savings. An EVMS or alternative, structured\nmeans used to measure actual costs to a baseline budget that would be adjusted as requirements\nchanged would facilitate a more efficient and effective assessment of the ISC\xe2\x80\x99s impact on\nefficiency.\n\nWe also reviewed SRA\xe2\x80\x99s original and revised spending plans. Actual labor costs increased for\nthe base year, and an increase totaling $23 million had been budgeted for all option years. The\nmaximum amount of the ISC had not increased, but costs were reallocated among task areas.\nWithout a comparison of original budgets and amounts spent to activities planned and\naccomplished, DIT could not determine whether the ISC contractor was efficiently performing\nthe work. Further, DIT ran the risk of (1) running out of funds for other tasks through\nreallocation of costs and (2) expending all of the allocated funding for the ISC prior to the end of\nthe 5-year performance period if the division cannot effectively judge the contractor\xe2\x80\x99s efficiency.\n\nDIT\xe2\x80\x99s Analysis of Labor Costs for Procurement and Oversight Costs\n\nDIT planned to conduct an analysis of labor costs for procurement and oversight staff before and\nafter contract consolidation. The Board Case contained a projected annual savings of $365,000\nfor managing the ISC, or $1.8 million over 5 years, due to the reduction in DIT and ASB\nprocurement and oversight staff. DIT stated that the planned analysis could not be completed as\npart of the 2005 cost analysis because the DIT reorganization and staffing realignment was not\ncompleted until September 2005. At the time of our review, DIT had planned to prepare this\nanalysis in 2006 but recognized the difficulty in doing so because the costs associated with\nmanaging the individual contracts that preceded the SRA contract had not been captured for\ncomparison purposes.\n\nAt our exit conference, DIT officials indicated that SRA has been instrumental in establishing a\nprocess for requesting and conducting procurement of IT goods and services that has resulted in\nlower costs, faster delivery, and quantity discounts. In addition, DIT provided information dated\nOctober 23, 2006 from SRA regarding the average processing times for carrying out\n\n                                                 9\n\x0cprocurements. Although the information does not compare current processing times to those that\nexisted prior to the ISC, it does show that the average procurement time for micro-procurements\nover the 6-month period ending September 30, 2006 was less than 10 days, and the average time\nfor competitive procurements was less than 15 days.\n\nDIT\xe2\x80\x99s Analysis of Procurement Costs\n\nDIT also prepared an analysis of costs for procurements completed for the period May-\nDecember 2005. DIT identified savings of $964,866 attributable to SRA for recurring\nprocurements such as software licenses, deactivated services, wireless services, and maintenance\nrenewals. (See Appendix III for additional details on the DIT-identified savings.) Based on our\nreview, a majority of these savings had been achieved through the ordinary course of\nrequirements analysis, competition, and contract negotiation. Nevertheless, it was DIT\xe2\x80\x99s view\nthat the savings were largely attributable to the synergy of SRA\xe2\x80\x99s technical, asset management,\nand procurement knowledge.\n\nUse of EVMS for the ISC\n\nAlthough the ISC, as originated, required SRA to use an EVMS, FEDSIM deleted the\nrequirement as part of Modification PS01, dated November 05, 2004. The DIT PMO stated that\nDIT considered using EVM but determined that the EVM methodology applies more\nappropriately to development projects rather than ongoing infrastructure support services\nprovided under the ISC. Additionally, DIT officials stated that they were more concerned with\nthe overall cost reasonableness than in a comparison of costs to activities. DIT further noted that\nEVM would have added significant cost to the ISC contract.\n\nIn our view, applying EVM or another structured means of measuring costs and performance\nwould enable DIT to better assess the ISC\xe2\x80\x99s effectiveness. An EVMS or similar system would\nprovide a basis for comparing time-phased budgeted and actual costs for work planned and work\nperformed, and DIT would be better able to assess ISC accomplishments.\n\nRecommendation\n\nWe recommend that the Director, DIT:\n\n1. Develop a more structured methodology for evaluating the performance of the ISC to ensure\n   that the contract is meeting intended results. This methodology should include:\n\n   y establishing a budgeted cost of labor, by activity, that is compared to actual labor costs\n     over the scheduled period of performance of the activity, and\n   y updating the baseline of budgeted cost as requirements change.\n\n\n\n\n                                                10\n\x0cINTERNAL CONTROLS\n\nThe combination of controls established by the FDIC and those assigned to FEDSIM through the\ninteragency agreement were adequate to ensure that work under the ISC complied with the\ncontract terms and conditions. Further, DIT and FEDSIM have also established controls over\nlabor costs that focused on ensuring total spending on each task area under the ISC was within\npre-approved spending plans. However, we concluded that the Corporation should consider:\n\n    \xe2\x80\xa2   providing additional oversight for decisions on significant contract modifications\n        involving reallocations of contract funding, and\n    \xe2\x80\xa2   employing additional risk-based, cost-effective controls to monitor the mix of labor\n        categories and labor rates utilized to fulfill task order requirements and the need for, and\n        use of, highly paid staff in each labor category.\n\nThese controls will help to ensure that contract funds are used for intended purposes and avoid\nincurring unreasonable costs.\n\nInternal Control Standards and FAR Requirements\n\nThe Government Accountability Office\xe2\x80\x99s (GAO) Standards for Internal Control in the Federal\nGovernment characterize internal control as a major part of managing an organization. Internal\ncontrol comprises the plans, methods, and procedures used to meet mission, goals, and objectives\nand in doing so, supports performance-based management. Internal controls provide reasonable\nassurance that objectives are being achieved in relation to effectiveness and efficiency of\noperations, including the use of the resources and reliability of financial reporting, including\nreports on budget execution. Internal controls should be designed and implemented based on the\nrelated cost and benefits.\n\nAs stated earlier, FEDSIM awarded the Millennia contract under the FAR, which specifies in\nsections 16.301-3 and 16-405-2(c) that cost-reimbursement-type contracts, including cost-plus-\naward-fee contracts, may be used only when appropriate government surveillance will provide\nreasonable assurance that efficient methods and effective cost controls are used.\n\nConsolidated Contracting Risks and Controls\n\nDIT identified the following three risks in the Board Case, seeking approval of a consolidated\ninfrastructure contract:\n\n   y little experience in managing or monitoring performance-based contracts,\n   y exacerbation of any performance issues by dependency on one contractor, and\n   y increased contract costs because DIT has to reimburse actual costs.\n\nDIT relied on the FEDSIM\xe2\x80\x99s extensive experience with large-scale, performance-based award\nfee contracts to provide the support and guidance for establishing and monitoring the FEDSIM\nperformance-based contract. With assistance from the FEDSIM, DIT had established controls\nthat provide oversight of the contractor\xe2\x80\x99s performance and limit the risk of dependency on one\n\n                                                 11\n\x0ccontractor. With regard to increased contract costs, DIT had implemented the controls described\nbelow.\n\nProject Management Plan\n\nThe ISC required SRA to develop a Project Management Plan (PMP) that was based on SRA\xe2\x80\x99s\nproposal for accomplishing the requirements of each required task. The plan was required to\ncontain project management information such as milestones, levels of effort, organization, risk\nmitigation strategy, and budget information. SRA submitted budget information in the form of a\nspending plan that, on a monthly basis, compares planned costs to actual costs. The PMP was\nused as the foundation for the Monthly Status Report, which is described below.\n\nReports, Meetings, and Other Controls\n\nMuch of DIT\xe2\x80\x99s oversight activity, in addition to its daily contact with SRA staff, was carried out\nthrough the review of monthly and quarterly reports prepared by SRA and submitted to DIT, and\nthrough recurring meetings Depending on the task, such reports and meetings could include the\nfollowing:\n\n  y    Monthly Project/Activity Status Report. These reports included the project activity,\n       status, and issues for each task area.\n\n  y    Monthly Status Report. The reports contained summaries of the management and\n       technical progress to date and provided the current task order accounting information,\n       including milestones and cost, total billed hours, burdened cost, award fee, items\n       purchased for the government, software purchased and all costs associated with providing\n       infrastructure security. The reports also contained the proposed spending plan for the\n       following month, which, among other information, included labor-hour estimates and\n       rates for individuals expected to work on the contract.\n\n  y    Quarterly Program Reviews (QPR). The QPR focuses on a high-level presentation of\n       information already discussed and presented in other reports. The QPR included current\n       task order financial status, anticipated task order financial status, current task order\n       performance metrics, mitigation plans for under-performing areas, and other issues and\n       concerns.\n\n  y    Monthly Budget Meetings. SRA provided a management and financial analysis that\n       shows the underlying detail data and calculations regarding performance under the task\n       order.\n\n  y    Problem Notifications. SRA submitted Problem Notification Reports to notify the\n       Contracting Officer of all task order issues such as potential cost overruns/impacts and\n       changed or incorrect assumptions for task orders.\n\n\n\n\n                                                12\n\x0c Contract Funding\n\n DIT had established adequate controls over SRA\xe2\x80\x99s schedule and performance and ensuring total\n spending was within proposed spending plans. However, DIT and FEDSIM could improve\n controls for monitoring contract funding. Significant reallocations have already been made to\n the total contract spending plan to cover unexpected labor cost increases. For example, we\n observed that DIT processed Modification 05 to the ISC in August 2005 to reallocate $23 million\n in contract funding from contract line item numbers (CLIN) for hardware and software\n maintenance and technical refresh4 to contractor and subcontractor labor categories. Table 3\n presents information about the modification.\n\nTable 3: CLIN Impact of Modification 05 (in millions)\n                                      Original      Modification\n CLINs                               Contract       05 Changes                   Rationale for Change\n                                    (September        (August\n                                       2004)           2005)\n CLIN 0001 Labor                           $99.5              $12.9   Information security staffing level of effort\n                                                                      was greater than SRA anticipated.\n CLIN 0004b New category for                  $0              $10.2   Local temporary support for short-term\n subcontract labor not subject to                                     special projects, surge support for\n cost award fee                                                       technology deployments.\n CLIN 0005 Technology Refresh                $75              ($11)   Level of effort implied in initial ceilings was\n CLIN 0006 Hardware/Software             $124.5            ($12.1)    less than originally determined. DIT\n Maintenance                                                          anticipated that the FDIC would gain\n                                                                      significant cost savings on\n                                                                      hardware/software over the life of the ISC.\n All other CLINs                           $42.7                $0\n Total Contract                          $341.7                 $0\nSource: DIT.\n\n\n\n Section G.10 of the ISC allows for the modification of CLINs provided there is adequate\n justification and authorization for such change. In this regard, DIT provided a July 19, 2005\n Memorandum for the Record (M061 MOD 05 CLIN 0001 Ceiling Realignment Justification and\n Explanation) that presented a detailed rationale for the increased labor requirements.\n\n DIT representatives explained that DIT did not use the ISC to purchase IT equipment until\n June 2005 (9 to 10 months into the ISC) because: (1) the National Treasury Employees Union\n (NTEU) received a 60- to 90-day period to evaluate labor issues associated with having contract\n employees (SRA) perform equipment purchase functions that FDIC employees had previously\n performed, and (2) it took DIT and SRA an additional 6 months to implement ISC equipment\n purchase procedures and processes. Instead, DIT stated that equipment purchases, including\n purchases for technical refresh, were made outside of the ISC on other contracts. In\n October 2005, 1 year into the ISC, FEDSIM reported that the FDIC had $14.6 and $10.7 million\n 4\n  The infrastructure modernization component, or technical refresh, is the life-cycle replacement of various major\n components in the FDIC's technical infrastructure, including the mainframe, midrange servers, local area network\n servers, storage, workstations, telephone and video systems, and data wide-area network.\n\n                                                         13\n\x0cremaining for 2005 in the technical refresh and hardware/software maintenance CLINs,\nrespectively. DIT concluded that because it had not used the ISC to purchase IT equipment,\ntechnical refresh and hardware/software maintenance funding was effectively made available for\nreallocation to cover increased labor costs. Further, as shown above, DIT concluded that the\nreallocation had no impact on the total contract amount on the ISC contract. However, since\nrequirements were met through the use of other contracts, an alternative to this reallocation\nwould have been to reduce the total price or ceiling on the ISC. We saw no evidence that FDIC\nmanagement had considered this approach.\n\nDue to the significance of the funding involved in this contract modification, we also analyzed\nthe controls associated with processing such a modification. Table 4, on the next page, describes\neach of those control points.\n\n\n\n\n                                               14\n\x0cTable 4: DIT Control Points Over ISC Funding\n Control Point           Description\n Infrastructure          Among other things, the ISC Oversight Committee approves, or obtains approval for, all\n Oversight               contract modifications and all fund reallocations among CLINs. DIT stated that the decision to\n Committee               reallocate contract estimates between CLINs had been discussed by the ISC Oversight\n                         Committee.\n Contract                The ISC requires \xe2\x80\x9cproper contractor justification and Government approvals\xe2\x80\x9d and\n Modification            documentation of the rationale for reallocating contract funds between CLINs. DIT officials\n Process                 noted that the reallocation was supported by a contract modification approved by FEDSIM.\n Procurement             SRA developed the Framework to ensure that IT purchases that SRA makes on the\n Planning and            Corporation\xe2\x80\x99s behalf reflect FDIC management\xe2\x80\x99s priorities and needs. The primary objective\n Management              of the Framework is to compile and maintain lists of hardware, software, and other non-labor IT\n Framework               items that the FDIC plans to acquire to support its business mission. The lists, known as\n (Framework)             Procurement Rosters, are intended to help senior managers plan for upcoming purchases and\n                         ensure that budgetary resources are spent in a planned and organized fashion.\n Procurement             The PMB is composed of DIT and ISC senior managers. The PMB maintains the Procurement\n Management              Rosters and meets monthly to decide which IT items should be procured by the FDIC in the\n Board (PMB)             near term and to decide the relative priority of items within a particular Procurement Roster.\n Infrastructure and      SRA also developed this 5-Year Plan for the FDIC. The purpose of the Plan is to (1) define a\n Technology              standard FDIC methodology for technical refresh; (2) establish key milestones for engineering,\n Refreshment Plan        examination of technology, and allocation of resources for orderly and cost-effective technical\n (Plan)                  refresh; and (3) provide a basis for budget estimates and strategic budget planning.\n Contract Award          The FDIC and FEDSIM have established the AFEB consisting of a chairman, who is the FDIC\n Fee Evaluation          PMO; FDIC functional area representatives; and the FEDSIM Contracting Officer\xe2\x80\x99s\n Process                 Representative. The FEDSIM Contracting Officer is a non-voting advisory member of the\n                         AFEB. Additional non-voting members may be a Secretariat/Recorder and Technical\n                         Monitors, as deemed appropriate by the AFEB Chairman. This process helps to monitor\n                         contract costs and ensure that SRA meets service-level agreements related to infrastructure\n                         performance. Changes to the ISC are discussed at quarterly award fee evaluation board\n                         meetings, which are attended by ASB representatives and the CIO. Periodically, the CIO,\n                         Deputy CIO, and ASB also brief the Chief Operating Officer (COO) about the status of the\n                         contract. Additionally, DIT is required to inform the FDIC\xe2\x80\x99s Board of Directors if the contract\n                         ceiling or the contract duration significantly changes.\n Corporate Budget        DIT\xe2\x80\x99s corporate budget is approved by the Chief Financial Officer (CFO), COO, and the Board\n Process                 and is closely monitored by the Division of Finance (DOF). DIT noted that if the division\n                         budgets an amount for equipment purchases and then does not expend that amount, DIT could\n                         lose the ability to spend those funds in future budget years.\nSource: DIT officials.\n\n\n  DIT officials contended that sufficient controls were in place over ISC funding and technical\n  refresh decisions. While we agree that the controls discussed in Table 4 should help to ensure\n  that contract funds are expended in a planned and organized manner, there is an opportunity to\n  further strengthen these controls to ensure funds are used for intended purposes.\n\n  Governance Structure Over Labor Cost Increases\n\n  Although the FDIC has a detailed governance structure for IT investments, it does not have a\n  corresponding process for reviewing proposed contract modifications for significant\n  reallocations of contract funding, including increases in contract labor. For example, the FDIC\n\n                                                             15\n\x0chas two primary oversight bodies for significant IT investments: the Capital Investment Review\nCommittee (CIRC) and the CIO Council. The CIRC monitors IT and non-IT projects valued at\n$3 million or more. At its discretion, the CIRC may extend its review authority to projects\nbelow the $3 million threshold. The CIRC is co-chaired by the CFO and CIO, and its members\ninclude the Deputy to the Chairman, General Counsel, and FDIC division directors. The CIRC\noversees investments throughout their life cycle and provides quarterly reports to the Board of\nDirectors on project finances, milestones, and performance. The CIO Council, which includes\nexecutive representatives from most divisions and offices, meets monthly to deliberate matters\nrelating to the use of IT within the FDIC. Council members advise the CIO on IT matters and\nwork together on cross-cutting issues such as enterprise architecture management and IT\ninvestment management.\n\nIn addition, DIT has made the Board aware of significant equipment purchases under the ISC. In\nthis regard, in May 2006, DIT worked through DOA to issue an April 2006 memorandum\nentitled, Supplemental Information to the Contract Assessment Report, to the FDIC Board,\nnotifying the Board of DIT\xe2\x80\x99s intent to expend $6 million to purchase a large number of desktop\npersonal computers and computer monitors. This memorandum also noted that \xe2\x80\x9c[t]he approved\nexpenditure authority and resulting [infrastructure services] contract include the purchase of\nreplacement equipment totaling an estimated $75 million over the five-year period. The\nreplacement of this equipment was outlined in DIT\xe2\x80\x99s Infrastructure Technology Refresh Plan.\xe2\x80\x9d\n\nHowever, DIT did not have a similar oversight process for the reallocations of contract funding\non the ISC contract. Through Modification 05, DIT increased contract and subcontract labor\nfunding by $23 million and decreased existing technology refresh and hardware/software\nmaintenance funding by a corresponding amount. These labor increases were for enhanced IT\nsecurity and expenses related to the Richmond Disaster Recovery site. However, had this\nincrease been for a new system development project or IT equipment, it likely would have been\nsubject to CIRC and CIO Council reviews or subject to DIT\xe2\x80\x99s delegated payment approval\nauthority limits.5 As a line item reallocation involving significant contract funding, however, the\ncontract modification resulting in the reallocation was not subject to the same oversight.\n\nAdding controls related to contract modifications involving significant funding reallocations on\nthe ISC could strengthen the oversight process by ensuring that funds are used for their intended\npurposes. Further, including independent divisional and office representatives on certain\noversight committees for the ISC would benefit the FDIC by providing a balanced corporate\nperspective on significant contract-funding decisions.\n\nControls Over the Reasonableness of Labor Charges\n\nDIT has established controls over the reasonableness of labor charges by ensuring the charges\nstayed within monthly spending estimates for various task areas and by monitoring whether\naverage hourly rates being billed for each labor category were within the ceiling rates established\nin the ISC. DIT has determined this was an appropriate approach because the ISC is a\nperformance-based contract, and SRA has some flexibility in staffing, organization, and\n\n5\n    Division directors had payment approval authority for non-procurement-related expenses up to $2 million.\n\n                                                          16\n\x0cimplementation. However, these controls would not always identify instances in which the\nFDIC is paying labor rates that are not commensurate with task order requirements.\n\nSpending Plan Control\n\nDIT, FEDSIM, and SRA had established an overall spending plan for the contract period that\nallocates the total contract dollars into 10 task areas. This spending plan is broken down by year,\nand for the current year, included labor hour estimates and rates for personnel expected to work\non the contract. DIT receives monthly invoices and monthly status reports that include current\ncharges and spending to date. DIT reviews this information with SRA at monthly meetings.\n\nThe monthly report shows the current month and a cumulative annual total of labor hours and\ncosts for personnel used on the contract but does not show the variance from individual and labor\ncategory estimates in the annual spending plan. Further, the contractor provides only a brief\nexplanation of any dollar variances between actual and planned total expenditures for each task\narea. DIT reviews the monthly invoices and status reports, but the review does not focus on the\nhours worked by highly-paid staff, the labor rates paid to individuals, or the mix of labor\ncategories used. Instead, DIT uses the spending plan and monthly reports to monitor the total\nspending on each task area and for determining whether incremental funding will be needed for\nwork that may be added.\n\nMillennia Contract Criteria\n\nGSA provided Millennia contractors the latitude to assign staff with various skill levels to a labor\ncategory if they met the minimum requirements. The Millennia contract contains 17 labor\ncategory descriptions.\n\nThe Millennia contract, Section B, Services and Prices/Costs, paragraph B.2.2.3, Ceiling Rates,\ndefined ceiling rates as the maximum direct labor rates (contractor site) to be proposed and/or\nbilled under this contract. These ceiling rates apply to cost-reimbursable orders and proposals\nfor fixed-price orders. The ceiling rate should anticipate the maximum technical expertise\nneeded over the life of the contract and is not necessarily bound by current staff.\n\nThe Millennia contract, Section B, paragraph B.2.2.4, Composite Rates, defined composite rates\nas the average burdened hourly labor rate experienced by the offeror for a similar scope of work\nand shall be based on current personnel in labor category descriptions. The composite rate is the\naverage rate based on current staff and similar tasking.\n\nCalculation of Individual Labor Rates\n\nNeither the Millennia contract nor the ISC provide clear guidance on the determination of\nwhether labor charges are reasonable. SRA computes the average rate on its monthly billing by\ndividing the \xe2\x80\x9cInception to Date Dollars\xe2\x80\x9d by the \xe2\x80\x9cInception to Date Hours\xe2\x80\x9d to arrive at a \xe2\x80\x9cBilling\nRate\xe2\x80\x9d average for each labor category. FEDSIM and the FDIC compare the average hourly rate\nfor a labor category to the ISC ceiling rate for that category to determine whether billing rates are\nless than the ceiling rate. We determined that the SRA billing rate average for each labor\n\n                                                 17\n\x0ccategory was below the applicable ceiling rate for the period we reviewed. However, we found\ninstances where the hourly charges for SRA employees varied by as much as $121 within a\nparticular labor category and where hourly charges for certain employees exceeded the ceiling\nrates.\n\nVariances in Labor Rates Within Labor Categories\n\nDIT stated that it worked with SRA to ensure that skills and resources employed are appropriate\nand that DIT has challenged SRA in the past regarding personnel who do not appear to have the\nappropriate skills. However, with regard to reviewing labor rates and hours billed, FEDSIM and\nDIT officials acknowledged that they focused on ensuring that total labor charges were within\nannual spending plan limits and that the average labor rates for individual labor categories did\nnot exceed the labor category ceilings.\n\nAs shown in Table 5, the hourly rates charged within labor categories varied substantially.\n\nTable 5: Comparison of Contract Ceiling Rates to Hourly Rates Paid\n\n\n\n\n                                       Material Redacted\n\n\n\n\nThe FEDSIM Project Manager explained the variance in individual labor rates by stating that\nvendors control the assignment of employees to Millennia labor categories, and the large\nvariance in rates was due to salary differences. The ISC Program Lead stated that because there\nwere minimum qualifications for each labor category in the Millennia contract, it was possible to\nhave a wide range of acceptable skill levels and hourly rates within a specific category. The\nFEDSIM Project Manager stated that the flexibility contractors have to assign staff at various\nskill levels, as long as they meet the minimum requirements outlined in the ISC, ensured that\ncontractor staff were available to satisfy FDIC requirements.\n\nThe ISC PMO stated that the application of the labor rate structure allowed for specialized\ncontractor staff paid at higher labor rates to be assigned to complex or high-priority tasks on an\n\n\n                                                 18\n\x0cas-needed basis. DIT believed that the FDIC benefited from the higher level of technical\nknowledge and experience through these assignments.\n\nWe acknowledge the potential benefits of having more experienced, skilled, or qualified staff\nassigned to specific labor categories as indicated by the higher labor rates. However, our\nanalysis showed that there was a wide range of rates charged in each labor category, and 40\npercent of SRA personnel were paid 80 percent more than the ceiling rate for their labor\ncategory. Additionally, 90 percent of SRA\xe2\x80\x99s staff was billed at 60 percent more than the ceiling\nrate. Therefore, over the long-term, DIT must be mindful of the risk that the FDIC may be\nincurring unnecessary costs because SRA was using staff with higher salary rates than necessary\nfor certain task order requirements, particularly when it had implemented an invoice review\nprocess that does not focus on individual rates and hours being paid.\n\nTable 6 illustrates how staffing the ISC with employees compensated at higher labor rates that\nmay not be commensurate with task order requirements can result in higher costs to the FDIC.\n\nTable 6: Rates for Highly-Compensated Employees\n\n\n\n\n                                        Material Redacted\n\n\n\n\n.\n\n\n\nCeiling Rates\n\nWe compared individual hourly labor rates to the ceiling rates for each labor category for the\n3-month period ended September 30, 2005. The labor rates for some personnel were higher than\nthe ceiling rates for that labor category. Table 7, on the next page, illustrates the hourly charges\nthat exceeded the ceiling rates for 16 employees for the July 2005 billing period.\n\n\n\n\n                                                 19\n\x0c Table 7: Summary of Charges that Exceeded Ceiling Rates for July 2005\n\n\n\n\n                                        Material Redacted\n\n\n\n\nIn total, we identified about $30,000 paid for labor costs above the ceiling rates for the 3-month\nperiod we reviewed. This amount projected over the 5-year life of the SRA contract could result\nin payments totaling about $600,000 ($30,000 per quarter for 4 quarters per year for 5 years).\n\nDIT stated that most of the SRA employees who had been paid rates that exceeded ceiling rates\neither have been replaced with lower-paid personnel or are no longer assigned to the ISC. To\nverify that corrective action had been taken, we compared a June 2006 invoice to the September\n2005 invoice that was part of our initial review. We found that two employees included in our\nearlier analysis were still employed at rates that exceeded the ceiling rates. We also found five\nadditional employees whose hourly rates exceeded the ceiling. In total, the seven employees\naccounted for $8,548 in total charges over the ceiling rates on the June 2006 invoice. Compared\nto our analysis of the invoices for September ($11,308), August ($3,277), and July 2005\n($15,478.59), the amount spent in June for labor that exceeds the ceiling rates, on average\n\n                                                20\n\x0c($10,021), was about the same amount charged for labor exceeding the ceiling rates for the initial\nperiod we reviewed.\n\nDIT stated that it was very concerned about cost and that DIT and FEDSIM reviewed invoices to\nensure cost reasonableness. However, as discussed previously, DIT stated that it focused on\nensuring the average rate being paid was within the contract ceiling rate\xe2\x80\x94consistent with its\ninterpretation of the contract terms. The Millennia contract is subject to interpretation on how\nthe ceiling rate is to be applied to contract billing. Paragraph B.2.2.3 of the Millennia contract\ndefines \xe2\x80\x9cCeiling Rates\xe2\x80\x9d as the maximum direct labor rates to be proposed and/or billed.\n\nWe contacted GSA and determined that some Millennia contractors submit bills comparing each\nemployee\xe2\x80\x99s labor rate to the ceiling rate for each labor category, while other contractors, like\nSRA, will bill at an average rate for each labor category with the intent that the average for the\nmonth must be below the ceiling rate for each labor category. The GSA representative stated\nthey take no exception to either method of computing actual labor rates.\n\nFurther, DIT stated that the FDIC was benefiting from contractor employees who may be more\nhighly qualified to accomplish tasks assigned within each labor category. Nevertheless, this\ncost-plus-award-fee contract requires sound control of costs. Employing additional risk-based,\ncost-effective controls in this area could help the Corporation avoid incurring unreasonable labor\ncosts.\n\nRecommendations\n\nWe recommend that the Director, DIT:\n\n2. Strengthen the oversight process for proposed contract modifications involving significant\n   reallocation of contract funding to provide control similar to that which the Corporation has\n   established for IT investment and major equipment purchase decisions.\n\n3. Establish additional risk-based, cost-effective controls to assure that labor costs are\n   reasonable for the work performed. Such controls could address monitoring:\n\n  \xe2\x80\xa2   the mix of labor categories and labor rates utilized to fulfill task order requirements and\n  \xe2\x80\xa2   the need for, and use of, highly-paid staff in each labor category.\n\n\n\n\n                                                 21\n\x0cCORPORATE COMMENTS AND OIG EVALUATION\n\nOn January 4, 2007, the Chief Information Officer and Director, DIT, provided a written\nresponse to this report. DIT\xe2\x80\x99s response is presented in its entirety in Appendix IV. Overall, DIT\nagreed to take corrective actions that are responsive to the recommendations and are planned to\nbe completed by January 31, 2007. Appendix V contains a summary of management\xe2\x80\x99s response\nto the recommendations. The recommendations are resolved but will remain open until we have\ndetermined that the agreed-to corrective actions have been completed and are effective.\n\nIn response to recommendation 1, DIT stated that in order to develop a more structured\nmethodology for evaluating the performance of the ISC for 2006 and 2007, the Infrastructure\nServices Branch (ISB) has aligned the ISB budget and the ISC spending plan for labor by\nactivity. In addition, the ISB has established a process, to capture cost estimates for new work,\nthat can be used to adjust the budget baseline.\n\nIn response to recommendation 2, DIT stated that a process will be established for presenting and\nobtaining senior management approval for contract line item reallocations over $5 million.\n\nIn response to recommendation 3, DIT stated that established evaluation processes and day-to-\nday oversight activities assure that labor costs are reasonable for work performed. DIT intends\nto further enhance controls by developing a process for conducting periodic program-wide\nreviews to assess the reasonableness of the ISC staffing and management plans.\n\n\n\n\n                                                22\n\x0c                                                                                  APPENDIX I\n\n\n                      OBJECTIVE, SCOPE, AND METHODOLOGY\n\n\nThe objective of this audit was to determine whether:\n\n   \xe2\x80\xa2   controls are adequate to ensure that work performed under the Millennia contract\n       complies with the contract\xe2\x80\x99s terms and conditions and\n   \xe2\x80\xa2   this contracting method has produced the intended results.\n\nTo accomplish our objectives, we reviewed:\n\n   \xe2\x80\xa2   the Board of Directors-approved Consolidated Infrastructure Contract Expenditure\n       Authority Request submitted by the former Division of Information Resources\n       Management, now the Division of Information Technology (DIT);\n   \xe2\x80\xa2   the Interagency Agreement between the FDIC and FEDSIM;\n   \xe2\x80\xa2   the Millennia contract awarded to SRA;\n   \xe2\x80\xa2   the ISC issued by GSA under the FEDSIM agreement to provide information technology\n       services to the FDIC;\n   \xe2\x80\xa2   documentation supporting monitoring of the contractor\xe2\x80\x99s performance;\n   \xe2\x80\xa2   the award fee determination plan and a sample award fee determination;\n   \xe2\x80\xa2   the FDIC\xe2\x80\x99s draft report on costs savings;\n   \xe2\x80\xa2   a sample of billings submitted by the contractor, through GSA, and approved by the\n       FDIC; and\n   \xe2\x80\xa2   a sample of billings submitted by FEDSIM and approved by the FDIC.\n\nAlso, we interviewed the DIT PMO responsible for monitoring performance under the ISC and\nthe FEDSIM Project Manager responsible for the general administration of the ISM.\n\nWe conducted our review from November 2005 to September 2006 in accordance with generally\naccepted government auditing standards.\n\nInternal Controls\n\nWe evaluated the effectiveness of management controls by reviewing policies and procedures,\ncontract documents, and documentation of contractor monitoring and by interviewing FDIC\nexecutives and employees directly involved with the management and oversight of the contract.\nAdditionally, we discussed our audit results concerning FEDSIM management with\nrepresentatives from GSA\xe2\x80\x99s OIG.\n\nValidity and Reliability of Data from Computer-Based Systems\n\nWe assessed the reliability of the computer-based data provided to the FDIC from SRA\xe2\x80\x99s time\nand attendance system. We examined the billings for obvious errors, missing rates, rates outside\nthe range of the ceiling rates, and dates outside of those normally worked. As a result of the\ntests, we believed we could rely on the validity of time and attendance data submitted by SRA\nfor billing purposes. We compared the billing rates for one quarter, July to September 2005, to\n\n                                               23\n\x0crates contained in the Millennia contract. We did not audit the billings but determined that the\nbilling data were sufficiently reliable to meet our audit objectives.\n\nCompliance With Laws and Regulations\n\nWe used the FAR provisions on performance-based contracting as criteria for evaluating how the\nFDIC had been monitoring the ISC. This report identifies ways in which the FDIC could\nstrengthen its monitoring of the ISC and thus comply with the intent of such FAR provisions.\nWe also considered provisions of the Small Business Act and related regulations regarding\ncontract bundling. Contract bundling, in general, is the consolidation of smaller contracts into a\nlarger contract that is unsuitable for award to small business concerns due to the diversity, size,\nspecialized nature or geographic dispersion of the contracted work. We noted no significant\ndeficiencies given our audit objective.\n\nGovernment Performance and Results Act\n\nThe FDIC\xe2\x80\x99s infrastructure facilities, hardware, software, and systems support the FDIC\xe2\x80\x99s mission\nto preserve and promote public confidence in the U.S. financial system by providing tools for\nmonitoring and addressing risk to the Deposit Insurance Fund. The FDIC\xe2\x80\x99s 2005 Strategic Plan\nincluded a performance objective to complete contract consolidation, identify and realize cost\nreductions, and implement help desk improvements. A full and complete quality-driven\ninfrastructure with support services is necessary to achieve the FDIC\xe2\x80\x99s mission. The FEDSIM\ninteragency agreement was to provide IT support through managing and operating all of the\nFDIC\xe2\x80\x99s infrastructure facilities, hardware, and software.\n\nWe tested whether intended results were being achieved on the ISC. We based our assessment\non our review of GSA\xe2\x80\x99s and DIT\xe2\x80\x99s contractor quality reviews, which concluded that SRA\xe2\x80\x99s\nperformance was acceptable. Additionally, we reviewed documents supporting award fee\ndeterminations and the contractor\xe2\x80\x99s self-assessment. However, we could not fully determine\nwhether cost savings were fully achieved as discussed in the report section entitled, Measuring\nCosts and Savings.\n\nFraud and Illegal Acts\n\nWe were alert for fraud as we performed our audit. No instances of fraud and illegal acts came\nto our attention during our audit.\n\n\n\n\n                                                24\n\x0c                                                                                                   APPENDIX II\n\n\n                   INTENDED RESULTS AND MEASUREMENT CRITERIA\n\n\nIntended Benefit         Measurement Criteria                                     Result Achieved\n                                                                                  Yes/No/Partially\n1. Single point of   Not measured. SRA was the            Yes. SRA was accountable for all aspects of IT infrastructure\naccountability and   single point of accountability       support, eliminating at least nine labor services contracts and\nresponsibility for   responsible for all infrastructure   most of the other contracts supporting the FDIC\xe2\x80\x99s various\ncontractor           functions.                           infrastructure functions, thus facilitating DIT\xe2\x80\x99s ability to manage\nperformance.                                              the ISC as a performance-based contract.\n\n                     Under the interagency                 FEDSIM was accountable for providing acquisition and project\n                     agreement, the FEDSIM                 management support to ensure that current and planned FDIC IT\n                     functions as the single point of      requirements were met. FEDSIM oversaw the planning and\n                     accountability for the                implementation of the solicitation process, proposal evaluation\n                     contractor\xe2\x80\x99s performance.             and award, and contract administration, quality assurance, process\n                                                           improvement, and IT tools procurement.\n2. Results-based     Award fee determination using        Yes. The FDIC contracted for results-based contract\ncontract             a quality assurance surveillance     administration. The FDIC had assumed the FEDSIM\xe2\x80\x99s\nadministration,      plan that provides the FEDSIM        responsibility for technical monitoring and subject matter\nincluding            with measurable inspection and       expertise, thereby reducing the FEDSIM\xe2\x80\x99s hourly oversight\nperformance          acceptance criteria.                 charges. DIT believed its monitoring would also ensure the\nmetrics.                                                  highest level of performance and that the ISC met the FDIC\xe2\x80\x99s\n                                                          requirements.\n\n                                                          The FEDSIM was providing contract administration support such\n                                                          as processing contract modifications, ensuring compliance with\n                                                          the FAR, reviewing invoices in terms of contract labor rates, etc.\n\n3. Improved          Award fee determination using        Yes. FEDSIM was the final approving authority for the award fee.\ninfrastructure       a quality assurance surveillance     However, the AFEB, comprised of FDIC and FEDSIM members,\nperformance and      plan that provides the FEDSIM        makes a recommendation based on technical-service-level\nservice.             with measurable inspection and       agreements and subjective evaluations. FEDSIM\xe2\x80\x99s Award Fee\n                     acceptance criteria.                 Determination Official then reviews the recommendation to ensure\n                                                          that it is fair based on results achieved. The April through\n                                                          September 2005 award fee determination recommendation,\n                                                          prepared by the FDIC, noted \xe2\x80\x9cincreased stability and improved\n                                                          performance\xe2\x80\x9d by SRA. The most recent mid-term evaluation\n                                                          dated August 17, 2006 credited SRA with identifying best\n                                                          practices, process improvements, and making strategic\n                                                          recommendations. The evaluation also noted that SRA had\n                                                          improved system stability and decreased downtime while being\n                                                          proactive in developing and implementing solutions. Further, the\n                                                          evaluation noted that SRA\xe2\x80\x99s Help Desk performance, according\n                                                          to an independent assessment, continued to be higher than the\n                                                          industry average\n\n\n\n\n                                                              25\n\x0c                                                                                                  APPENDIX II\n\n\n Intended Benefit         Measurement Criteria                                   Result Achieved\n                                                                                 Yes/No/Partially\n 4. A long-term       Award fee determination            Yes. The award fee was reduced pending anticipated improved\n relationship that    coupled with a 5-year contract     performance. The FDIC participates in recommending an award\n shares risk and      period.                            fee. Based on the recommendations, the FEDSIM had final\n motivates the                                           authority to award the fee.\n contractor and\n identifies and       Award fee determination            Yes. Overall, SRA was rated \xe2\x80\x9cabove average\xe2\x80\x9d bordering on\n implements           includes specific measurement      excellent during the April 2005 through September 2005 rating\n industry best        criteria, including progress       period. DIT noted \xe2\x80\x9cproactive improvements\xe2\x80\x9d in performance and\n practices.           toward strategic goals,            stated that SRA should \xe2\x80\x9ccontinue to progress in the proactive\n                      including proactive                identification of process improvements, best practices, and\n                      identification of areas of         strategic recommendations.\xe2\x80\x9d\n                      innovation.\n\n 5. Continuing        The award fee determination        Yes. In the April through September 2005 award fee\n technology refresh   plan includes specific             determination, SRA\xe2\x80\x99s overall performance was rated above\n and innovation in    measurement criteria, including    average with no serious nonconformance, delays, or cost issues.\n response to          progress toward strategic goals,   Innovation was rated as improving during the first year of the\n contract             including meeting business         5-year contract.\n incentives.          needs for capacity and\n                      functionality and proactive\n                      identification of areas of\n                      innovation.\n\n 6. Reduced           The 5-year contract was            Yes. DIT stated that the intent of this goal was not to measure\n contractor           evidence of reduced contract       contractor employee turnover but to avoid total contractor\n turnover and         turnover to new vendors.           turnover. Prior to the ICS, multiple contracts had been issued\n longer-term                                             predominately as short-term (1 base year, 2 option years) contracts\n retention of                                            that terminated at various times. Significant time and resources\n knowledgeable                                           were expended for the ongoing solicitation and award of\n contractor staff.                                       replacement contracts, and turnover occurred if the contracts were\n                                                         awarded to new vendors.\n\n                      Qualified personnel are            Yes. DIT expects that there would be contractor employee\n                      included in the evaluation         turnover as SRA strives to find the best fit of talent to meet the\n                      criteria of the Award Fee          FDIC\xe2\x80\x99s requirements and as technology progresses. The\n                      Determination Plan.                expectation was that performance and continuity would not be\n                                                         affected as this occurred. Although we noted several instances of\n                                                         negative feedback in the FDIC\xe2\x80\x99s performance award\n                                                         recommendations, the contractor was rated above average by\n                                                         GSA, and positive feedback on performance affected by\n                                                         knowledgeable staff was included in the performance award\n                                                         recommendation.\n\n 7. Cost reduction    Award Fee Determination Plan       Partially. DIT prepared a cost-savings analysis for equipment\n resulting from       Criteria                           and an analysis of contract labor. However, we could not verify\n increased                                               DIT\xe2\x80\x99s claimed cost savings. DIT planned to prepare a cost-\n purchasing power                                        savings analysis to show staff reductions projected for DIT and\n and elimination of                                      ASB associated with managing the consolidated DIT contract\n inefficiencies in                                       compared to managing the 36 individual contracts.\n overlapping\n contract scopes.\nSource: Board Case and OIG Analysis.\n\n\n\n                                                             26\n\x0c                                                                                       APPENDIX III\n\n\n               OIG ANALYSIS OF SAVINGS ASSOCIATED WITH\n                      SRA CONTRACTING ACTIONS\n\n\n        Vendor                 Product          Reported Action Resulting         Reported Savings a\n                              Description                in Savings\n                        b\n                            Licensing          Analyzed licensing needs.                        $658,021\n                            Maintenance        Negotiated reduced price.                          $9,688\n                            Maintenance        Comparative shopping                               $2,085\n                                               resulted in lower bid.\n                            Maintenance        Comparative shopping                               $1,415\n                                               resulted in reduced rate.\n                            Onsite support     New agreement reached.                            $21,571\n                            Maintenance        Eliminated maintenance                             $2,134\n                            renewal            through recommendations to\n                                               the FDIC.\n                            Internet circuit   Negotiated lower monthly                          $23,060\n                            provider           rate with same provider.\n                            Maintenance        Questioned initial quote that                     $46,354\n                            renewal            included upgrade in service.\n                                               Reduced cost to support                           $19,754\n                                               software.\n                            Maintenance        Vendor competition for best                        $7,505\n                            renewal            price.\n                            Wireless           SRA moved services to                            $149,100\n                            services           shared plan. Negotiated\n                                               lower prices on           .\n                            Deactivated        SRA monitored wireless use.                       $24,179\n                            services           Initiated without the FDIC\xe2\x80\x99s\n                                               knowledge.\n        Grand Total Reported by DIT                                                            $964,866\nSource: DIT Analysis of Savings on Recurring Procurements and OIG Analysis.\na\n  We reviewed the nature of the reported actions and noted that many of the actions had been achieved\nduring the ordinary course of procurement activities. DIT was certain, however, that SRA had played an\nimportant role in each of the actions.\nb\n  Since this category represents the largest savings, the OIG reviewed this item in the greatest detail. We\ndetermined that the savings was attributed to a reduction in the number of licenses, and according to\nSRA, most of the costs reductions in this category had been realized because only Software Assurance\n(software maintenance) is purchased under the new contract rather than licenses and Software Assurance\nthat had been purchased together under the previous contract. Each license that the FDIC procured for\neach product is owned in perpetuity by the FDIC. That is, once the license is purchased, the FDIC is\nentitled to use the purchased version of the product forever. The FDIC must purchase maintenance,\ntermed Software Assurance, on a given product in order to secure version updates.\n\n\n\n\n                                                   27\n\x0c                       APPENDIX IV\n\n\nCORPORATION COMMENTS\n\n\n\n\n        28\n\x0c     APPENDIX IV\n\n\n\n\n29\n\x0c                                                                                                                                                    APPENDIX IV\n\n\n\n                                              MANAGEMENT RESPONSE TO RECOMMENDATIONS\n     This table presents the management response on the recommendations in our report and the status of the recommendations as of the\n     date of report issuance.\n                                                                                                                                       Open\n      Rec.                                                                    Expected             Monetary       Resolved:a            or\n     Number         Corrective Action: Taken or Planned/Status             Completion Date         Benefits       Yes or No           Closedb\n                   DIT believes that a more structured methodology for       January 31, 2007        $0              Yes               Open\n           1       evaluating the performance of the ISC has been\n                   achieved for 2006 and 2007. The ISB has aligned\n                   the ISB budget and the ISC spending plan for labor\n                   by activity. Additionally, ISB has established a\n                   process for capturing cost estimates for new work\n                   which can be used to adjust the budget baseline. DIT\n                   will document these two activities.\n                   DIT will establish a process for presenting and           January 31, 2007          $0             Yes              Open\n           2       obtaining senior management approval for contract\n                   line item reallocations over $5 million.\n30\n\n\n\n\n                   In addition to established evaluation processes and       January 31, 2007          $0             Yes              Open\n           3       day-to-day oversight activities to assure that labor\n                   costs are reasonable for work performed, DIT will\n                   develop a process for conducting periodic program-\n                   wide reviews to assess the reasonableness of the ISC\n                   staffing and management plans.\n     a\n         Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n                   (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n                   (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n                        as management provides an amount.\n     b\n         Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.\n\x0c"